Skip to content
Patchstack Docs

List all vulnerabilities

GET
/all

Paginated listing of every published vulnerability for the given platform, ordered by descending id.

Supports two independent pagination strategies:

  • Offset (?page=&per_page=) — returns a pagination block with totals. Easy to jump to a specific page; slower at depth and susceptible to row-shift when new vulnerabilities land while paging.
  • Cursor (?cursor=) — returns a cursor block with next_cursor, has_more, per_page. Stable under concurrent inserts and faster at any depth. No total count.

cursor and page are mutually exclusive; passing both returns 422 Unprocessable Entity.

Authorizations

Section titled “Authorizations ”

Parameters

Section titled “ Parameters ”

Query Parameters

Section titled “Query Parameters ”
platform
string
default: wordpress
Allowed values: wordpress npm

Platform to query. Case-insensitive.

page
integer
default: 1 >= 1

Offset-pagination page (1-indexed). Mutually exclusive with cursor.

per_page
integer
default: 100 >= 1 <= 500

Page size.

cursor
string

Opaque cursor. Presence of the param switches to cursor mode (send an empty value to bootstrap). Mutually exclusive with page.

include
string
Allowed values: details

Pass details to include the full advisory body (advisory_details) per item.

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Paginated vulnerability listing.

One of:
object
vulnerabilities
required
Array<object>

Per-item shape shared across list endpoints when platform=npm.

object
id
required

Stable Patchstack vulnerability id.

integer
Example
46500
title
required

Human-readable title (prefixed with NPM: for npm advisories).

string
Example
NPM: OpenClaw: ...
disclosed_at
required

When the vulnerability was publicly disclosed.

string format: date-time
created_at
required

When the row was inserted into the Patchstack DB. Drives /latest windowing.

string format: date-time
url
required

Public Patchstack vulnerability page (token-tagged).

string format: uri
vuln_type
required

High-level vulnerability category.

string
Example
Other Vulnerability Type
cve
required

First CVE identifier, or empty string when none is assigned.

string
Example
2026-41331
is_exploited
required

Whether exploitation has been observed in the wild.

boolean
patch_priority
required

1 (low) to 3 (high).

integer
>= 1 <= 3
advisory_details

Full advisory body (markdown). Only present when ?include=details was passed.

string
product
required
object
id
required
integer
name
required
string
slug
required
string
cvss
required
object
score
number format: float
nullable
vector
string
nullable
cwe
required
object
id
integer
nullable
name
string
nullable
capec
required
object
id
integer
nullable
name
string
nullable
references
required

External reference URLs (advisories, commits, tags).

Array<string>
ghsa
required

GHSA identifier when the advisory came from the GitHub Advisory Database.

string
version_info
required
object
affected
required

Affected version range (e.g. <= 2026.3.28).

string
fixed
required

First fixed version.

string
patched_ranges
required

Structured list of patch ranges for advisories with multiple patch ranges.

Array<object>
object
from_version
string
to_version
string
fixed_in
string
Example
{
  "id": 46500,
  "title": "NPM: OpenClaw: ...",
  "disclosed_at": "2026-04-03T03:15:56+00:00",
  "created_at": "2026-04-21T08:38:34+00:00",
  "url": "https://patchstack.com/database/npm/npm/openclaw/vulnerability/...",
  "vuln_type": "Other Vulnerability Type",
  "cve": "2026-41331",
  "is_exploited": false,
  "patch_priority": 2,
  "advisory_details": "## Summary\n...",
  "product": {
    "id": 23595,
    "name": "openclaw",
    "slug": "openclaw"
  },
  "cvss": {
    "score": 6.9,
    "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
  },
  "cwe": {
    "id": 770,
    "name": "Allocation of Resources Without Limits or Throttling"
  },
  "capec": {
    "id": null,
    "name": null
  },
  "references": [
    "https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m",
    "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
  ],
  "ghsa": "GHSA-m6fx-m8hc-572m",
  "version_info": {
    "affected": "<= 2026.3.28",
    "fixed": "2026.3.31",
    "patched_ranges": []
  }
}
pagination
required
object
current_page
required
integer
Example
1
per_page
required
integer
Example
25
total
required
integer
Example
6115
total_pages
required
integer
Example
245
has_next_page
required
boolean
Example
true
has_previous_page
required
boolean
next_page
integer
nullable
Example
2
previous_page
integer
nullable
from
required
integer
Example
1
to
required
integer
Example
25
Examples

Offset mode

{
  "vulnerabilities": [],
  "pagination": {
    "current_page": 1,
    "per_page": 25,
    "total": 6115,
    "total_pages": 245,
    "has_next_page": true,
    "has_previous_page": false,
    "next_page": 2,
    "previous_page": null,
    "from": 1,
    "to": 25
  }
}

401

Section titled “401 ”

Missing or invalid PSKey header.

403

Section titled “403 ”

API key not authorised for the requested endpoint.

422

Section titled “422 ”

Invalid parameter combination (e.g. cursor + page), invalid platform, or per_page > 500.

429

Section titled “429 ”

Rate limit exceeded.